A cyber security survey of nearly 100 financial institutions by Deloitte has found that just 17 of them have reached the most advanced or mature level of security.

According to the professional services company, 17 percent of the organisations have reached ‘Adaptive’ status, the level identified as most mature by the US National Institute of Standards and Technology (NIST). Forty-three organisations have reached the next highest standard, Repeatable, while 12 are ‘Informed’, and the remaining two are in the least mature ‘Partial’ category.

Under NIST definitions, Adaptive organisations modify their cyber security policies and practices based on the lessons learned from previous threats and predictive indicators. In this category, senior executives monitor cyber security risk in the same context as financial and other risks to the organisation.

By contrast, Repeatable-level organisations have risk management practices that are formally approved and expressed as policy, but may not adapt to the shifting threat landscape; Informed organisations have practices that are approved by management, but these may not be established as policy throughout the entire organisation; while those in the Partial category have an ad hoc and reactive risk management approach.
Deloitte found three common denominators in organisations that have the most mature approach to cyber security. They are generally best able to: secure executive leadership and board involvement in cyber threat management; raise cyber security’s profile beyond the IT department; and align managing cyber risk more closely with business strategy.

Financial institutions that can successfully emulate these characteristics are likely to improve their cyber security maturity in the short term, as well as continue to bolster their defences in the longer term, says Deloitte.

“Having an engaged board that works closely with senior management on cyber security issues can help focus the entire organisation on the challenge while assuring that adequate resources are allocated to the task,” explains Deloitte.

However, respondents from Adaptive companies shouldn’t rest on their laurels, caution the report’s authors. While the survey reveals that high-maturity organisations may have settled on a solid governance system and laid the foundations for an effective risk-management programme, achieving excellence in cyber security is a journey, not a destination, they say.

The survey also revealed that high cyber security spending does not automatically translate into a high risk-management maturity level; that has more to do with policy, board-level buy-in, and the ability of the Chief Information Security Officer (CISO) to think ahead strategically, says Deloitte.

According to the survey, respondents spend an average of 10 percent of their IT budgets on cyber security, with small institutions generally committing a higher percentage to it (12 percent) than medium to large enterprises (nine percent).

Deloitte found that the highest spending group are financial utilities, such as clearing houses, exchanges, and payment processors, which average spending of around 15 percent of their IT budgets on cyber security.

Larger firms allocate nearly one-fifth of their cyber security budget to identity and access management – nearly twice the percentage of midsize and smaller companies, which generally spend more heavily on endpoint and network security.

However, while small companies may allocate more of their IT budgets to cyber security overall, they spend a smaller percentage of total revenues (0.2 percent) on it than medium-sized (0.5 percent) or large companies (0.4 percent).

Large financial institutions are far more likely than smaller organisations to keep their cyber security functions in-house, and so are least likely to outsource their cyber security workforce, found the survey.

They also tend to keep their CISOs within the IT department: 56 percent of respondents at large companies said their CISO reported to the CIO or CTO, rather than to the CRO or COO, compared to about one in four midsize and small companies.
The survey was carried out by the Financial Services Information Sharing and Analysis centre (FS-ISAC), in conjunction with Deloitte’s Cyber Risk Services practice.

Be part of a discussion and connect with like-minded leaders in your sector at our exclusive event series on banking and RegTech.